modelscope_img_generator

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward ModelScope image generator, with one documentation gap around where returned images are downloaded from.

Install only if you trust ModelScope with the prompts and any input images you provide. Be aware the skill saves files locally and downloads the final image from a URL returned by ModelScope, which may be a storage or CDN URL rather than the main API host.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (4)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill explicitly instructs use of environment variables for `MODELSCOPE_API_KEY` and makes outbound network requests to a third-party API, yet no permissions are declared. This creates a transparency and governance gap: an agent or user may invoke a networked, secret-consuming skill without clear prior authorization or policy review.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The documentation claims the tool only connects to the official ModelScope endpoint, but the code later downloads the final image from output_image_url returned by the API without verifying its host. This creates a misleading trust boundary and can expose the runtime to unexpected outbound requests, including fetching attacker-controlled content if the upstream API is compromised or manipulated.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The inline security comment says the hardcoded endpoint prevents redirection of API key or data, but the code still performs requests.get(output_image_url) against a non-hardcoded URL. Even if the Authorization header is not sent on that request, the comment materially understates the network exposure and may cause reviewers or operators to trust the tool more than warranted.

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The description says 'Use for image generation requests,' which is broad enough to encourage invocation in many loosely related situations without clear boundaries or safety gating. Over-broad routing can cause the agent to invoke a networked skill unnecessarily, increasing exposure of prompts, file paths, and API keys to the external service.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal